0 evaluări0% au considerat acest document util (0 voturi)
69 vizualizări9 pagini
A. Enter the following commands into R1: r1(config)# username R3 secret class. B. Enter the commands into R3: r3(config-if)# ppp authentication pap. C. Configure static Frame Relay maps on R1, R2, and r3.
A. Enter the following commands into R1: r1(config)# username R3 secret class. B. Enter the commands into R3: r3(config-if)# ppp authentication pap. C. Configure static Frame Relay maps on R1, R2, and r3.
A. Enter the following commands into R1: r1(config)# username R3 secret class. B. Enter the commands into R3: r3(config-if)# ppp authentication pap. C. Configure static Frame Relay maps on R1, R2, and r3.
Enter the following commands on R1: R1(config)# interface s0/0/0 R1(config-if)# encapsulation ppp Configure PPP PAP Authentication Between R1 and R3. Note: Instead of using the keyword password as shown in the curriculum, you will use the keyword secret to provide a better encryption of the password. a. Enter the following commands into R1: R1(config)# username R3 secret class R1(config)# interface s0/0/0 R1(config-if)# ppp authentication pap R1(config-if)# ppp pap sent-username R1 password cisco b. Enter the following commands into R3: R3(config)# username R1 secret cisco R3(config)# interface s0/0/0 R3(config-if)# ppp authentication pap R3(config-if)# ppp pap sent-username R3 password class Configure PPP CHAP Authentication Between R3 and ISP. a. Enter the following commands into ISP. The hostname is sent as the username: Router(config)# hostname ISP ISP(config)# username R3 secret cisco ISP(config)# interface s0/0/0 ISP(config-if)# ppp authentication chap b. Enter the following commands into R3. The passwords must match for CHAP authentication: R3(config)# username ISP secret cisco R3(config)# interface serial0/1/0 R3(config-if)# ppp authentication chap
Configuring Static Frame Relay Maps Configure Frame Relay encapsulation on the S0/0/0 interface of R1. R1(config)# interface s0/0/0 R1(config-if)# encapsulation frame-relay Step 1: Configure static Frame Relay maps on R1, R2, and R3. a. Configure R1 to use static frame relay maps. Use DLCI 102 to communicate from R1 to R2. Use DLCI 103 to communicate from R1 to R3. The routers must also support EIGRP multicast on 224.0.0.10; therefore, thebroadcast keyword is required. R1(config)# interface s0/0/0 R1(config-if)# frame-relay map ip 10.1.1.2 102 broadcast R1(config-if)# frame-relay map ip 10.1.1.3 103 broadcast Configure ANSI as the LMI type on R1, R2, and R3. Enter the following command on the serial interface for each router: R1(config-if)# frame-relay lmi-type ansi
Configuring Frame Relay Point-to-Point Subinterfaces Step 1: Configure Frame Relay encapsulation on the S0/0/0 interface of R1. R1(config)# interface s0/0/0 R1(config-if)# encapsulation frame-relay R1(config-if)# no shutdown Step 1: Configure subinterfaces on R1, R2, and R3. a. Configure R1 to use subinterfaces. DLCI 102 is used to communicate from R1 to R2, while DLCI 103 is used to communicate from R1 to R3. R1(config)# interface s0/0/0.2 point-to-point R1(config-subif)# ip address 10.1.1.1 255.255.255.252 R1(config-subif)# frame-relay interface-dlci 102 R1(config-subif)# interface s0/0/0.3 point-to-point R1(config-subif)# ip address 10.1.3.2 255.255.255.252 R1(config-subif)# frame-relay interface-dlci 103 b. Add network entries to EIGRP autonomous system 1 to reflect the IP addresses above. R1(config)# router eigrp 1 R1(config-router)# network 10.1.1.0 0.0.0.3 R1(config-router)# network 10.1.3.0 0.0.0.3 Step 1: Verify the Frame Relay configuration. Show information about Frame Relay and the connections that have been made. Note the fields for BECN, FECN, DE, DLCI, and LMI TYPE. R1# show frame-relay map R1# show frame-relay pvc R1# show frame-relay lmi
Configuring Standard ACLs Step 1: Configure and apply a numbered standard ACL on R2. a. Create an ACL using the number 1 on R2 with a statement that denies access to the 192.168.20.0/24 network from the 192.168.11.0/24 network. R2(config)# access-list 1 deny 192.168.11.0 0.0.0.255 b. By default, an access list denies all traffic that does not match a rule. To permit all other traffic, configure the following statement: R2(config)# access-list 1 permit any c. For the ACL to actually filter traffic, it must be applied to some router operation. Apply the ACL by placing it for outbound traffic on the Gigabit Ethernet 0/0 interface. R2(config)# interface GigabitEthernet0/0 R2(config-if)# ip access-group 1 out Step 2: Configure and apply a numbered standard ACL on R3. a. Create an ACL using the number 1 on R3 with a statement that denies access to the 192.168.30.0/24 network from the PC1 (192.168.10.0/24) network. R3(config)# access-list 1 deny 192.168.10.0 0.0.0.255 b. By default, an ACL denies all traffic that does not match a rule. To permit all other traffic, create a second rule for ACL 1. R3(config)# access-list 1 permit any c. Apply the ACL by placing it for outbound traffic on the Gigabit Ethernet 0/0 interface. R3(config)# interface GigabitEthernet0/0 R3(config-if)# ip access-group 1 out
Configuring Named Standard ACLs Step 1: Configure a named standard ACL. Configure the following named ACL on R1. R1(config)# ip access-list standard File_Server_Restrictions R1(config-std-nacl)# permit host 192.168.20.4 R1(config-std-nacl)# deny any Step 2: Apply the named ACL. a. Apply the ACL outbound on the interface Fast Ethernet 0/1. R1(config-if)# ip access-group File_Server_Restrictions out b. Save the configuration.
Configuring an ACL on VTY Lines Step 1: Configure a numbered standard ACL. Configure the following numbered ACL on Router. Router(config)# access-list 99 permit host 10.0.0.1 Step 2: Place a named standard ACL on the router. Access to the Router interfaces must be allowed, while Telnet access must be restricted. Therefore, we must place the ACL on Telnet lines 0 through 4. From the configuration prompt ofRouter, enter line configuration mode for lines 0 4 and use theaccess- class command to apply the ACL to all the VTY lines: Router(config)# line vty 0 4 Router(config-line)# access-class 99 in Step 3: Verify the ACL configuration and application to the VTY lines. Use the show access-lists to verify the ACL configuration. Use the show run command to verify the ACL is applied to the VTY lines.
Configuring Extended ACLs - Scenario 1 Step 1: Configure an ACL to permit FTP and ICMP. a. From global configuration mode on R1, enter the following command to determine the first valid number for an extended access list. R1(config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list b. Add 100 to the command, followed by a question mark. R1(config)# access-list 100 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment c. To permit FTP traffic, enter permit, followed by a question mark. R1(config)# access-list 100 permit ? ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol d. This ACL permits FTP and ICMP. ICMP is listed above, but FTP is not, because FTP uses TCP. So you enter TCP. Enter tcp to further refine the ACL help. R1(config)# access-list 100 permit tcp ? A.B.C.D Source address any Any source host host A single source host e. Notice that we could filter just for PC1 by using the hostkeyword or we could allow any host. In this case, any device is allowed that has an address belonging to the 172.22.34.64/27 network. Enter the network address, followed by a question mark. R1(config)# access-list 100 permit tcp 172.22.34.64 ? A.B.C.D Source wildcard bits f. Calculate the wildcard mask determining the binary opposite of a subnet mask. 11111111.11111111.11111111.11100000 = 255.255.255.224 00000000.00000000.00000000.00011111 = 0.0.0.31 g. Enter the wildcard mask, followed by a question mark. R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers h. Configure the destination address. In this scenario, we are filtering traffic for a single destination, the server. Enter thehost keyword followed by the servers IP address. R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 ? dscp Match packets with given dscp value eq Match only packets on a given port number established established gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers <cr> i. Notice that one of the options is <cr> (carriage return). In other words, you can press Enter and the statement would permit all TCP traffic. However, we are only permitting FTP traffic; therefore, enter the eq keyword, followed by a question mark to display the available options. Then, enterftp and press Enter. R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ? <0-65535> Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23) www World Wide Web (HTTP, 80) R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp j. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC1 to Server. Note that the access list number remains the same and a specific type of ICMP traffic does not need to be specified. R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62 k. All other traffic is denied, by default. Step 2: Apply the ACL on the correct interface to filter traffic. From R1s perspective, the traffic that ACL 100 applies to is inbound from the network connected to Gigabit Ethernet 0/0 interface. Enter interface configuration mode and apply the ACL. R1(config)# interface gigabitEthernet 0/0 R1(config-if)# ip access-group 100 in Step 1: Configure an ACL to permit HTTP access and ICMP. a. Named ACLs start with the ip keyword. From global configuration mode of R1, enter the following command, followed by a question mark. R1(config)# ip access-list ? extended Extended Access List standard Standard Access List b. You can configure named standard and extended ACLs. This access list filters both source and destination IP addresses; therefore, it must be extended. Enter HTTP_ONLY as the name. (For Packet Tracer scoring, the name is case- sensitive.) R1(config)# ip access-list extended HTTP_ONLY c. The prompt changes. You are now in extended named ACL configuration mode. All devices on the PC2 LAN need TCP access. Enter the network address, followed by a question mark. R1(config-ext-nacl)# permit tcp 172.22.34.96 ? A.B.C.D Source wildcard bits d. An alternative way to calculate a wildcard is to subtract the subnet mask from 255.255.255.255. 255.255.255.255 - 255.255.255.240 ----------------- = 0. 0. 0. 15 R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 ? e. Finish the statement by specifying the server address as you did in Part 1 and filtering www traffic. R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www f. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC2 to Server. Note: The prompt remains the same and a specific type of ICMP traffic does not need to be specified. R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62 g. All other traffic is denied, by default. Exit out of extended named ACL configuration mode. Step 2: Apply the ACL on the correct interface to filter traffic. From R1s perspective, the traffic that access list HTTP_ONLY applies to is inbound from the network connected to Gigabit Ethernet 0/1 interface. Enter the interface configuration mode and apply the ACL. R1(config)# interface gigabitEthernet 0/1 R1(config-if)# ip access-group HTTP_ONLY in